Computer system security is traditionally regarded as a primarily
technological concern; the fundamental questions to which security researchers
address themselves are those of the mathematical guarantees that can be made
for the performance of various communication and computational challenges.
However, in our research, we focus on a different question. For us, the
fundamental security question is one that end-users routinely encounter and
resolve for themselves many times a day -- the question of whether a system is
secure enough for their immediate needs. In this paper, we will describe our
explorations of this issue. In particular, we will draw on three major elements
of our research to date. The first is empirical investigation into everyday
security practices, looking at how people manage security as a practical,
day-to-day concern, and exploring the context in which security decisions are
made. This empirical work provides a foundation for our reconsideration of the
problems of security to a large degree as an interactional problem. The second
is our systems approach, based on visualization and event-based architectures.
This technical approach provides a broad platform for investigating security
and interaction, based on a set of general principles. The third is our initial
experiences in a prototype deployment of these mechanisms in an application for
peer-to-peer file sharing in face-to-face collaborative settings. We have been
using this application as the basis of an initial evaluation of our technology
in support of everyday security practices in collaborative workgroups.

Security may be compromised when humans make mistakes at the user interface.
Cleartext is mistakenly sent to correspondents, sensitive files are left
unprotected, and erroneously configured systems are left vulnerable to
attackers. Such mistakes may be blamed on human error, but the regularity of
human error suggests that mistakes may be preventable through better interface
design. Certain user-interface constructs drive users toward error, while
others facilitate success. Two security-sensitive user interfaces were
evaluated in a laboratory user study: the Windows XP file-permissions interface
and an alternative interface, called Salmon, designed in accordance with an
error-avoiding principle to counteract the misleading constructs in the XP
interface. The alternative interface was found to be more dependable; it
increased successful task completion by up to 300%, reduced commission of a
class of errors by up to 94%, and provided a nearly 3x speed-up in task
completion time. Moreover, users spent less time searching for information with
the alternative interface, and a greater proportion of time on essential task
steps. An explanatory theory in its early stages of development is presented.

Support for strong electronic mail security is widely available yet only few
communicants appear to make use of these features. Apparently, the operational
overhead of security outweighs its perceived benefits. Towards increasing the
benefits versus overhead ratio we follow an approach that considers security
and usability tradeoffs from the outset. We separate key exchange from binding
keys to identities. The best effort key exchange and key maintenance scheme
that we devise operates transparently for the user. We also describe
complementary visualization and interaction techniques that communicate the
security state of sent and received mail to users in a non-intrusive fashion.
Structured interviews were conducted with 19 users to assess the usability of
the metaphors and the complementary visualizations of the security state.
Towards a practical assessment of the overheads of binding keys to identities,
we conducted a quantitative analysis of 17 users' anonymized mailbox extracts
to determine which security mechanisms would be most appropriate for their
communication patterns. We argue that for individual non-commercial users,
out-of-band verification of keys could be more economical than building trust
in public key certificates issued by third parties.

Grid security is based on public key infrastructure (PKI), an architecture
that offers strong security for inter-institutional projects, making it ideal
for computational grids. However, current PKI implementations suffer from
serious usability issues in terms of end-user acquisition and management of
credentials, something which grid security inherits from its PKI foundation. In
this paper, we describe two parallel efforts to apply the concept of
"Plug-and-Play PKI", designed to improve PKI usability, to improve the
usability of grid security.

Keywords: Usability; Security; PKI; Grid computing

PassPoints: Design and longitudinal evaluation of a graphical password
system

Computer security depends largely on passwords to authenticate human users.
However, users have difficulty remembering passwords over time if they choose a
secure password, i.e. a password that is long and random. Therefore, they tend
to choose short and insecure passwords. Graphical passwords, which consist of
clicking on images rather than typing alphanumeric strings, may help to
overcome the problem of creating secure and memorable passwords. In this paper
we describe PassPoints, a new and more secure graphical password system. We
report an empirical study comparing the use of PassPoints to alphanumeric
passwords. Participants created and practiced either an alphanumeric or
graphical password. The participants subsequently carried out three
longitudinal trials to input their password over the course of 6 weeks. The
results show that the graphical password users created a valid password with
fewer difficulties than the alphanumeric users. However, the graphical users
took longer and made more invalid password inputs than the alphanumeric users
while practicing their passwords. In the longitudinal trials the two groups
performed similarly on memory of their password, but the graphical group took
more time to input a password.

The weakness of knowledge-based authentication systems, such as passwords
and Personal Identification Numbers (PINs), is well known, and reflects an
uneasy compromise between security and human memory constraints. Research has
been undertaken for some years now into the feasibility of graphical
authentication mechanisms in the hope that these will provide a more secure and
memorable alternative. The graphical approach substitutes the exact recall of
alphanumeric codes with the recognition of previously learnt pictures, a skill
at which humans are remarkably proficient. So far, little attention has been
devoted to usability, and initial research has failed to conclusively establish
significant memory improvement. This paper reports two user studies comparing
several implementations of the graphical approach with PINs. Results
demonstrate that pictures can be a solution to some problems relating to
traditional knowledge-based authentication but that they are not a simple
panacea, since a poor design can eliminate the picture superiority effect in
memory. The paper concludes by discussing the potential of the graphical
approach and providing guidelines for developers contemplating using these
mechanisms.

As information technology continues to spread, we believe that there will be
an increasing awareness of a fundamental need to address privacy concerns, and
that doing so will require an understanding of policies that govern information
use accompanied by development of technologies that can implement such
policies. The research reported here describes our efforts to design a system
which facilitates privacy policy authoring, implementation, and compliance
monitoring. We employed a variety of user-centered design methods with 109
target users across the four steps of the research reported here. This case
study highlights the work of identifying organizational privacy requirements,
iteratively designing and validating a prototype with target users, and
conducting laboratory tests to guide specific design decisions to meet the
needs of providing flexible privacy enabling technologies. Each of the four
steps in our work is identified and described, and directions for future work
in privacy are suggested.

An understanding of 'communities of practice' can help to make sense of
existing security and privacy issues within organizations; the same
understanding can be used proactively to help bridge the gap between
organizational and end-user perspectives on these matters. Findings from two
studies within the health domain reveal contrasting perspectives on the 'enemy
within' approach to organizational security. Ethnographic evaluations involving
in-depth interviews, focus groups and observations with 93 participants
(clinical staff, managers, library staff and IT department members) were
conducted in two hospitals. All of the data was analysed using the social
science methodology 'grounded theory'. In one hospital, a community and
user-centred approach to the development of an organizational privacy and
security application produced a new communication medium that improved
corporate awareness across the organization. User involvement in the
development of this application increased the perceived importance, for the
designers, of application usability, quality and aesthetics. However, other
initiatives within this organization produced clashes with informal working
practices and communities of practice. Within the second hospital, poor
communication from IT about security mechanisms resulted in their misuse by
some employees, who viewed them as a socially controlling force. Authentication
mechanisms were used to socially exclude users who were formally authorized to
access systems but whose access was unacceptable within some local communities
of practice. The importance of users' security awareness and control are
reviewed within the context of communities of practice.

Several recent surveys conclude that people are concerned about privacy and
consider it to be an important factor in their online decision making. This
paper reports on a study in which (1) user concerns were analysed more deeply
and (2) what users said was contrasted with what they did in an experimental
e-commerce scenario. Eleven independent variables were shown to affect the
online behavior of at least some groups of users. Most significant were trust
marks present on web pages and the existence of a privacy policy, though users
seldom consulted the policy when one existed. We also find that many users have
inaccurate perceptions of their own knowledge about privacy technology and
vulnerabilities, and that important user groups, like those similar to the
Westin "privacy fundamentalists", do not appear to form a cohesive group for
privacy-related decision making. In this study we adopt an experimental
economic research paradigm, a method for examining user behavior which
challenges the current emphasis on survey data. We discuss these issues and the
implications of our results on user interpretation of trust marks and
interaction design. Although broad policy implications are beyond the scope of
this paper, we conclude by questioning the application of the ethical/legal
doctrine of informed consent to online transactions in the light of the
evidence that users frequently do not consult privacy policies.

As with all the major advances in information and communication technology,
ubiquitous computing (ubicomp) introduces new risks to individual privacy. Our
analysis of privacy protection in ubicomp has identified four layers through
which users must navigate: the regulatory regime they are currently in, the
type of ubicomp service required, the type of data being disclosed, and their
personal privacy policy. We illustrate and compare the protection afforded by
regulation and by some major models for user control of privacy. We identify
the shortcomings of each and propose a model which allows user control of
privacy levels in a ubicomp environment. Our model balances the user's privacy
preferences against the applicable privacy regulations and incorporates five
types of user controlled "noise" to protect location privacy by introducing
ambiguities. We also incorporate an economics-based approach to assist users in
balancing the trade-offs between giving up privacy and receiving ubicomp
services. We conclude with a scenario and heuristic evaluation which suggests
that regulation can have both positive and negative influences on privacy
interfaces in ubicomp and that social translucence is an important heuristic
for ubicomp privacy interface functionality.

Technological systems for use in public places need to be designed so people
can use them efficiently, effectively, safely and with satisfaction. A
component factor in satisfaction is perceived privacy. Current guidelines aimed
at improving accessibility may impact users perceptions of privacy. The aim of
this study was to explore whether different screen sizes affect users'
perceptions of privacy. Also, if partitioning around screens influences privacy
perceptions. An opportunity sample of 60 participants took part in the study.
The results that revealed 12" screens were perceived as more private by users
than 15 and 17" screens. Adding privacy partitions improved user's perceptions
of privacy on the 12 and 15" screens but not on the 17". These findings provide
evidence that slight changes in the physical design of systems can increase
users' perceived levels of privacy and therefore satisfaction.

IJHCS 2005 Volume 63 Issue 3

ARTICLE

Speed-dependent automatic zooming (SDAZ) has been proposed for standard
desktop displays as a means of overcoming problems associated with the
navigation of large information spaces. SDAZ combines zooming and panning
facilities into a single operation, with the magnitude of both factors
dependent on simple user interaction. Previous research indicated dramatic user
performance improvements when using the technique for document and map
navigation tasks. In this paper, we propose algorithmic extensions to the
technique for application on small-screen devices and present a comparative
experimental evaluation of user performance with the system and a normative
scroll-zoom-pan interface. Users responded positively to the system,
particularly in relation to reduced physical navigational workload. However,
the reduced screen space reduced the impact of SDAZ in comparison to that
reported in previous studies. In fact, for one-dimensional navigation (vertical
document navigation) the normative interface out-performed SDAZ. For navigation
in two dimensions (map browsing) SDAZ supports more accurate target location,
and also produces longer task completion times. Some SDAZ users became lost
within the information space and were unable to recover navigational context.
We discuss the reasons for these observations and suggest ways in which
limitations of SDAZ in the small-screen context may be overcome.

The aim of this study was to empirically evaluate an embodied conversational
agent called GRETA in an effort to answer two main questions: (1) What are the
benefits (and costs) of presenting information via an animated agent, with
certain characteristics, in a 'persuasion' task, compared to other forms of
display? (2) How important is it that emotional expressions are added in a way
that is consistent with the content of the message, in animated agents? To
address these questions, a positively framed healthy eating message was created
which was variously presented via GRETA, a matched human actor, GRETA's voice
only (no face) or as text only. Furthermore, versions of GRETA were created
which displayed additional emotional facial expressions in a way that was
either consistent or inconsistent with the content of the message. Overall, it
was found that although GRETA received significantly higher ratings for
helpfulness and likability, presenting the message via GRETA led to the poorest
memory performance among users. Importantly, however, when GRETA's additional
emotional expressions were consistent with the content of the verbal message,
the negative effect on memory performance disappeared. Overall, the findings
point to the importance of achieving consistency in animated agents.

Evaluation of the appropriateness of information technical systems for
complex professional usage in safety-critical contexts poses significant
methodical and practical challenges. In this study, the usability of a Safety
Information and Alarm Panel (SIAP) in a nuclear power plant control room was
tested. An integrated validation concept was used that included a new approach
to measuring system and operator performance in complex work environments. The
tested system was designed to aid the operators in severe disturbance and
emergency situations. It had already been implemented at a nuclear power plant.
The study was conducted in a full-scope training simulator. The results
verified that an acceptable level of performance could be achieved when using
the SIAP. When the operators' practices were analysed by a habit-centred
analysis, it was discovered that the effects of the SIAP differed between crews
and between test scenarios. Thus, the SIAP tended to promote coherence of
practices but reduce situatively attentive action. In diffuse task contexts the
tool failed to support the shift supervisor's control of the overall process
situation, his awareness of the crew's work load and his ability to update the
crew's awareness of the process. The operators reported that the system
supported their process control activity and reduced stress in the situation,
but the shift supervisors and operators also noticed some possible negative
effects of the tool. These subjective evaluations corresponded to the effects
observed in practice. The results revealed the complexity of the implementation
of new tools into professional practice. It was proposed that a validation
project should focus on the trajectory of development of the entire distributed
cognitive system instead of comprehending validation studies as tests of the
effects of information systems on a pre-defined process output. Formative
evaluation criteria are needed in projecting distributed cognitive systems.

ARTICLE

The different ways that computers can be involved in creative work are
examined. A classification based on four categories of human-computer
interaction to promote creativity is proposed: computers may facilitate (a) the
management of creative work, (b) communication between individuals
collaborating on creative projects, (c) the use of creativity enhancement
techniques, (d) the creative act through integrated human-computer cooperation
during idea production. The papers in the Special Issue are discussed according
to this classification. Issues to be considered in future work on
human-computer interactions for promoting creativity are discussed.

Creativity is typically thought of in the singular -- as an attribute. But
it may instead be multiple. This article investigates three respects in which
there might be multiple creativities -- processes, domains, and styles. It
considers different potential models for multiple creativities. It concludes by
suggesting that the different respects in which creativity might be multiple
are complementary rather than mutually exclusive.

This paper addresses the problem of creating a human-centered computer-based
support environment to facilitate innovation and creative work. It focuses on
key factors to be considered in the design and development of any such user
support environment regardless of the specific domain for which it may be
implemented. The paper reviews psychological literature on how creativity,
insight and innovation occur and how they can be fostered in working
environments. Based on this discussion the paper then describes a generic set
of user or functional requirements intended to apply to any domain-specific
computer-based working environment for support of creative activities. The
paper proposes the conceptual model of a Virtual Workbench as a way of
capturing some of these requirements and as a way of organizing thinking about
the design of creative problem solving environments (CPSEs) in general.
Finally, the paper proposes one possible translation of the Virtual Workbench
and some of the functional requirements into a view of a generic model for
CPSEs by describing three component sets of functions that would be a subset of
those needed in almost any domain-specific CPSE.

Creativity might be viewed as any process which results in a novel and
useful product. People use computers for creative tasks; they flesh out ideas
for text, graphics, engineering solutions, etc. Computer programming is an
especially creative activity, but few tools for programming aid creativity.
Computers can be designed to foster creativity as well. As a start, all
computer programs should help users enumerate ideas, remember alternatives and
support various ways to compare them. More sophisticated thinking aids could
implement other successful techniques as well. Most computers are used in
solitude; however, people depend on social supports for creativity. User
scenarios can provide the important social support and gracious cues normally
offered by collaborators that keep people motivated and help them consider
alternatives. People also use computers to build community and to communicate.
Computers should also support and filter these potentially creativity-enhancing
communication acts. User-interface designers are so busy exposing features and
fighting bugs that they might ignore their users' needs for motivation and
creativity support. This paper develops the notion that creativity and
motivation enhancement can easily be aligned with the design of high-quality
human-computer interaction. User interface toolkits and evaluations should
include support for motivation and creativity-enhancing approaches.

In order to contribute to a better understanding of creativity in
non-routine design activities, we conducted an experimental study that focused
on a cognitive mechanism involved in creative design, that of the re-use of
aspects derived from previous sources of inspiration. Our objective was to
determine to what extent designers consider potential sources as useful for
solving a specific design problem. Since the relevance of sources of
inspiration may be appreciated differently according to the level of expertise
in design, the experiment was performed with two groups of participants:
experienced designers and inexperienced designers. The results show differences
in the number and nature of the aspects selected by each group of designers as
well as in the judgments of usefulness they expressed about the different types
of suggested sources of inspiration. On this basis, we discuss how these
findings may influence the design of a computational system supporting creative
design tasks and we consider how to facilitate the progression from novices to
experienced designers.

Developing learning experiences that facilitate self-actualization and
creativity is among the most important goals of our society in preparation for
the future. To facilitate deep understanding of a new concept, to facilitate
learning, learners must have the opportunity to develop multiple and flexible
perspectives. The process of becoming an expert involves failure, as well as
the ability to understand failure and the motivation to move onward.
Meta-cognitive awareness and personal strategies can play a role in developing
an individual's ability to persevere through failure, and combat other diluting
influences. Awareness and reflective technologies can be instrumental in
developing a meta-cognitive ability to make conscious and unconscious decisions
about engagement that will ultimately enhance learning, expertise, creativity,
and self-actualization. This paper will review diverse perspectives from
psychology, engineering, education, and computer science to present
opportunities to enhance creativity, motivation, and self-actualization in
learning systems.

Creativity research is a large and varied field in which the subject is
characterized on many different levels. The arrival of digital media and
computational tools has opened up new possibilities for creative practice. The
cutting edge in the digital arts is a highly fertile ground for the
investigation of creativity and the role of new technologies. The demands of
such work often reveal the limitations of existing technologies and open the
door to developing new approaches and techniques. This provides the creativity
researcher with opportunities to understand the multi-dimensional
characteristics of the creative process. At the same time, it places new
demands upon the creators of the technological solutions and pushes forward our
understanding of the future requirements of creative technologies. This paper
is concerned with the nature of creativity and the design of creativity
enhancing computer systems. The research has multi-disciplinary foundations in
human-computer interaction and creative practice in Art, Design, Science and
Engineering. As a result of a series of studies of creative people and the
associated developments in technology, a strategy for practice-based research
has evolved in which research and practice are interdependent activities that
have mutual benefits as well as distinctive outcomes. This paper charts the
development of that co-evolutionary process from the foundation studies to
recent outcomes of a major project in art and technology collaboration. The
notion of the Studio as a laboratory in the field is introduced and a new
methodology for systematic practice-based research is presented. From the
results of the investigations that took place, opportunities for the
development of technology environments for creative collaboration are proposed.

The power of the unaided individual mind is highly overrated. Although
society often thinks of creative individuals as working in isolation,
intelligence and creativity result in large part from interaction and
collaboration with other individuals. Much human creativity is social, arising
from activities that take place in a context in which interaction with other
people and the artifacts that embody collective knowledge are essential
contributors. This paper examines: (1) how individual and social creativity can
be integrated by means of proper collaboration models and tools supporting
distributed cognition; (2) how the creation of shareable externalizations
("boundary objects") and the adoption of evolutionary process models in the
construction of meta-design environments can enhance creativity and support
spontaneous design activities ("unselfconscious cultures of design"); and (3)
how a new design competence is emerging -- one that requires passage from
individual creative actions to synergetic activities, from the reflective
practitioner to reflective communities and from given tasks to personally
meaningful activities. The paper offers examples in the context of
collaborative design and art practice, including urban planning, interactive
art and open source. In the effort to draw a viable path "beyond binary
choices", the paper points out some major challenges for the next generation of
socio-technical environments to further increase the integration of individual
and social creativity.

This paper describes our approach for the design and development of
application systems for early stages of information design tasks. We view a
computational tool as something that provides materials with which a designer
interacts to create a situation that talks back to the designer. The
interaction design of a tool, that is, the representations a user can generate
and how the user can manipulate them with the tool, influences a user's
cognitive processes. The tool's interaction design thus either fosters or
hinders creativity in the early stages of information design. Our approach
toward the interaction design of a tool for fostering creativity is first to
understand the nature of early stages of information design tasks. We discuss
four issues in support of the early stages of design based on theories in
design and in human-computer interaction: (1) that available means of
externalizations influence designers in deciding which courses of actions to
take; (2) that designers generate and interact with not only a partial
representation of the final artefact but also various external representations;
(3) that designers produce externalizations to express a solution as well as to
interpret the situations; and (4) that a design task proceeds as a hermeneutic
circle -- that is, designers proceed with projected meanings of representations
and gradually revise and confirm those meanings. The above theoretical account
of early stages of information design tasks has led us to identify three
interaction design principles for tools for the early stages of information
design: interpretation-rich representations, representations with constant
grounding and interaction methods for hands-on generation and manipulation of
the representations. To illustrate our point, we take ART#001, a tool for the
early stages of writing, to apply the interaction design principles and examine
how the interaction design of the tool fosters creativity in the early stages
of information design. The paper concludes with a discussion of how we
generalize the approach and build a framework to design and develop application
systems for fostering creativity in the early stages of information design.

This study examined age differences in the use of an electronic
three-dimensional (3D) environment, and how the age differences were affected
by the use of an overview map as a navigation aid. Task performance and the
subjects' acquisition of configural knowledge of the 3D-environment were
assessed. Impact of spatial ability and prior experience on these measurements
were also investigated. One group of older subjects (n=24) and one group of
younger subjects (n=24) participated. An overall hypothesis for the work
presented here was that differences in learning to and performing navigational
tasks in the physical world are similar in learning and performing navigational
tasks in the virtual world. The results showed that the older participants
needed more time to solve the tasks; and similar to navigation in the physical
world, the older participants were less likely to create configural knowledge.
It could not be established that older participants benefited more from an
overview map as cognitive support than younger subjects, except in the
subjective sense: the older users felt more secure when the map was there. The
map seemed to have supported the older users in creating a feeling of where
objects were located within the environment, but it did not make them more
efficient. The results have implications for design; in particular, it brings
up the difficult issue of balancing design goals such as efficiency in terms of
time and functionality, against maintaining a sense of direction and location
in navigational situations.

This article describes an experiment investigating the impact of ecological
interface design (EID) on human performance in computer network management.
This work domain is more dynamic than those previously studied under EID
because there is a constant potential for the addition and removal of devices,
as well as changing configurations, making it important to study the
generalizability of the framework. Two interfaces were created for the
University of Toronto campus network consisting of 220 nodes: a P interface
based on existing design practices which presented primarily physical
information and a P+F interface based on EID which presented both physical and
functional information identified by an abstraction hierarchy analysis.
Participants used one of the two interfaces to detect and diagnose faults or
disturbances in the simulated network in real-time. Network size and fault
frequency were both manipulated as within-participants variables. The P+F
interface led to faster detection times overall, as well as improved fault
detection rate and more accurate fault diagnosis under higher fault loads.
These results suggest that the EID framework may lead to more robust monitoring
performance in computer network management compared to existing interfaces.

The use of procedure systems is an important safety management strategy in
coping with emergency or abnormal situations in a process control system. With
the digitalization trend in these complex and large-scale systems, most aspects
of a process control system are also computerized. In addition to the primary
tasks, operators now have to do extra secondary tasks when using the
computerized systems. In this research, three design features aimed to reduce
the cognitive workload are evaluated on our research platform, SimCBP and
SimPlant. These two systems work in tandem to simulate a Computer-Based
Procedure (CBP) system and a simplified nuclear power plant. From the results
of the experiments, the design of embedded controls/parameters is found to be
efficient but its counterpart has implications for the design of training
materials. Navigation aid, although not statistically significant, is important
because of the subjective responses and the need of cross-referencing. The
simplified flowchart display format, like other researches on the use of this
format, revealed mixed results. Implications and directions for future studies
are also proposed.

Evidence shows that integrated development environments (IDEs) are too often
functionality-oriented and difficult to use, learn, and master. This article
describes challenges in the design of usable IDEs and in the evaluation of the
usability of such tools. It also presents the results of three different
empirical studies of IDE usability. Different methods are sequentially applied
across the empirical studies in order to identify increasingly specific kinds
of usability problems that developers face in their use of IDEs. The results of
these studies suggest several problems in IDE user interfaces with the
representation of functionalities and artifacts, such as reusable program
components. We conclude by making recommendations for the design of IDE user
interfaces with better affordances, which may ameliorate some of most serious
usability problems and help to create more human-centric software development
environments.